Follow by Email

Wednesday, February 12, 2014

The GRC-enabled Cloud – governance, risk and compliance may be simpler, faster, cheaper, more trusted – eventually

When we talk about the Cloud, whether it is an internal cloud
and external cloud (i.e. public cloud) or a private cloud (i.e. hybrid cloud),
we are inevitably led to consider GRC. To date the Cloud GRC discussion has
been limited to issues of privacy, trust, reliability and availability,
narrowly focused at times on security. This is typical when profound changes
are underway driving any paradigm shift, and this evolution to the Cloud is
truly profound for IT. It changes not everything, but nearly everything. It is as transformational for IT, and perhaps
more so, than the movement from centralized to distributed client server
computing in the 90’s.

Going forward, we need to broaden the Cloud discussion to
imagine the scenarios where the Cloud is GRC-enabled, at the appropriate level,
matching the precise needs of its diverse and distinct user communities. It’s
time to reframe the discussion in a way that frees us to think strategically
and practically about how the Journey to the Cloud may actually evolve. By
doing this we can be proactive and creative, and avoid the inevitable
backtracking and reworking that occurs when we react piecemeal to profound
change. Let’s Rise Above the Clouds for a moment, and ‘blue sky’ GRC concepts one
by one.

Governance in the Cloud.

What would a Governance-enabled Cloud look like? Governance
translates directly through policy to authority, behavior and access in the
Cloud.

Policy would need to be based not only on business and regulatory
requirements, but on best practices that can be translated from written edicts
through instantiations of configurations for all in-scope technologies. For
example, applications would specify their operational policies; hosts would
specify their control capabilities and hosting would occur when policies match
control capabilities.

Classification Schema would need to underpin the
policies that govern behavior of entities, in particular, applications,
information or virtualized environs.Entities would need to know their GRC profile, that is, how they are
classified and what their attendant configuration and protection requirements
are, and by extension, what the characteristics of their target cloud environs
must be.

Chain of Trust-Custody. We know about chain of custody in
the legal and even information security sense. When clouds negotiate handoffs in this
dynamic, fluid eco-system, the chain of trust would need to be carried with it,
logged, analyzed, and be auditable. If the chain should break, it must either stop
the movement or self-heal. Policy shapes the rules of interaction and policy
enforcement would be able to break bindings dynamically.

Risk Management in the Cloud.

What would a Risk Management-enabled cloud look like? Risk
translates directly to the probability or likelihood that a threat will have a
negative impact on an entity.

Business Impact Analysis (BIA) would need to be continuous and
based on known and accepted levels of risk tolerance, at many levels of
granularity, running from business process through the stack to applications,
information and cloud environ. BIA would be based on not just availability(A), as
we see today in business continuity, but also on confidentially(C) to ensure
privacy and integrity(I) to ensure data quality, as well. This BIA-CIA profile
would map into the governance classification schema, and be a foundation stone
to facilitate trust.

Threat and Vulnerability Analysis would need to be dynamic,
absorbing new threat-vulnerability pairs, and determining probabilities by
sensing their context through the type of e-discovery, instrumentation and
configuration controls monitoring that is possible at granular levels through
the hypervisor. We have this type of technology today at the network level
within the internal cloud; we need to extend it across cloud eco-systems.

Risk Analysis and Remediation would need to be dynamic;
near-real time.Blocking and quarantining
technologies will be part of the solution but most importantly, human-machine
and machine-machine visibility into configuration postures, coupling and
service levels will enable just-in-time remediation.

Compliance in the Cloud.

What would a Compliance-enabled cloud look like? Compliance
translates into understanding how policy enforces regulatory and business
requirements in the cloud, through the use of controls.

Control Rationalization and Normalization would need
to be more automated. Conflicting
controls would be rooted out and overlapping controls allowed to persist only
in those environs where deeper levels of defense are required, based on
classifications and policy.

Control Implementation would need to be dynamic when
possible. Human intervention will bottleneck processes, and where communication
is machine-machine, collaborative decisions will need to be negotiated through
rules or inference. Compliance will involve knowing such things as where
information resides (or has resided), where it has been transmitted (to, from
or through regulatory boundaries) and how it is protected (at rest or in flight,
notified, consented or ‘safe harbor-ed’).